SMS not being triggered about github-oauth-prompt HOT 6 CLOSED

Solution found by @kenany in popomore/github-labels#3 (comment), confirmed in popomore/github-labels#3 (comment):

github.authorization.getAll does not seem to trigger the SMS. I guess you'd have to at least attempt an authorization creation.

• Replace github.authorization.getAll in authentication test to github.authentication.create to ensure an SMS code is sent by GitHub
• Add tests with api responses for SMS code

from github-oauth-prompt.

It seems to me that the API request must be a POST for the SMS to trigger: GET and DELETE aren't working.

What this package should really be doing is attempting to create the token with basic auth, then re-attempting with a code after receiving the "Must specify two-factor authentication OTP code" error.

from github-oauth-prompt.

@kenany I've managed to fix this but the code isn't in a release-worthy state. If you need this library to work with your SMS two-factor auth, I'll make a pre-release for you. Otherwise I'll work on writing tests for this and investigating POST vs GET further.

It doesn't seem right to me that GET requests require two-factor authentication but don't trigger an SMS code. I have contacted GitHub support about that.

from github-oauth-prompt.

From GitHub support:

While it's definitely confusing -- the behavior you observed is expected for now. Currently, only a POST request to /authorizations triggers an SMS message with an OTP token if the user has 2FA enabled. Other API calls will not trigger an SMS.

There's a few different reasons behind this, but we already have an open issue to discuss this decision and change the behavior. I can't promise if/when the behavior might be changed, but just wanted to let you know it's on our minds as well.

In the meantime, there's a workaround you could use. First, for making API calls to endpoints which are not in the "Authorizations API" group -- you should use an OAuth token. Second, for making API calls to create an OAuth token (POST /authorizations) you'll receive an SMS message. Finally, for the other endpoints in the "Authorizations API" group -- before making a request to the endpoint you want to call, make a dummy POST call to the /authorizations endpoint. This will trigger an SMS to the user which they can then use to authorize the next call you'll make right after. It's far from elegant, but it should get the job done.

from github-oauth-prompt.

@kenany Fixed in v0.2.2

from github-oauth-prompt.

👍

from github-oauth-prompt.